Gravitee surveyed 900+ executives and technical practitioners for their State of AI Agent Security 2026 report. Two numbers from it that don't make sense together:
- 88% of organizations reported confirmed or suspected AI agent security incidents in the last year
- 82% of executives feel confident their existing policies protect against unauthorized agent actions
Both numbers are real. Both are from the same report. And they describe the same organizations.
So what's going on?
The governance stack has a missing layer
The report also found that 80.9% of technical teams have moved past planning into active testing or production. But only 14.4% deployed with full security/IT sign-off. That means the majority of agents running in production right now were deployed without the security team approving them.
RSAC 2026 (March 23-27, San Francisco) made this painfully visible. Every major vendor announced agentic AI governance features:
- Cisco open-sourced DefenseClaw -- scans MCP servers, inventories agent skills, maps agents to owners
- Microsoft's Agent Governance Toolkit hit 354 stars, covers all 10 OWASP Agentic risks
- AWS shipped Bedrock AgentCore Policy to GA across 13 regions
- ServiceNow announced AI Control Tower for agent monitoring
- CrowdStrike, Palo Alto, BeyondTrust, Wiz all announced agent-focused features
Notice the pattern? Discovery, posture management, scanning, monitoring, identity. All important. All pre-execution or post-execution.
None of them ship the approval primitive.
What the approval primitive actually means
An approval primitive is a runtime enforcement point that intercepts an agent's tool call before it executes, evaluates it against a policy, and either allows it, denies it, or holds it for human review.
Not "log it and alert later." Not "scan it before deployment." Not "monitor for anomalies after the fact."
The action is literally paused. A human sees the exact payload -- the SQL query, the API request body, the email draft -- and makes a decision. Then the action proceeds or doesn't.
That's the layer the Gravitee numbers are screaming about. 82% of executives think their policies protect them because policies exist on paper. But 88% had incidents because nothing enforced those policies at the moment an agent decided to act.
Why this gap exists
Discovery and posture management are easier problems. You scan an environment, enumerate agents, classify risk. It's a batch job. You can ship it as a dashboard.
Runtime approval is harder because it sits in the hot path. Every tool call hits it. Latency matters. You need:
- A policy engine that evaluates in milliseconds
- An approval workflow that doesn't block the agent forever
- Integration with the agent framework (LangChain, CrewAI, MCP, etc.) at the tool-call level
- An audit trail that's tamper-evident, not just append-only logs
This is infrastructure, not a feature. And infrastructure takes longer to build than scanners.
The competitive landscape is forming fast
A few teams are working on this specific layer:
- Faramesh Labs published an arxiv paper on their Action Authorization Boundary -- deterministic enforcement with a custom policy language (FPL). 13 framework integrations. Open-core. 30 GitHub stars. Early but serious.
- OpenBox AI launched on Product Hunt with $5M seed from Tykhe Ventures. Runtime governance with cryptographic attestation. SDK for LangChain, LangGraph, Temporal, n8n.
- HumanLayer (YC F24) had the @require_approval primitive but pivoted to CodeLayer. The original SDK hasn't been updated since June 2025.
- SidClaw (us) ships the approval workflow with a policy engine, compliance mapping to FINRA 2026 and EU AI Act, and hash-chain audit trails. 18+ framework integrations. Apache 2.0 SDK.
There are others (hoop.dev for Slack-routed infra approvals, AgentBouncr for lightweight policy enforcement, Barndoor AI for MCP-specific governance). The category is real and growing.
What the numbers predict
Gravitee's report also found that 25.5% of deployed agents can create and task other agents. Agent-to-agent delegation without approval checkpoints is where the 88% incident number is going to get worse.
The EU AI Act enforcement starts August 2026. FINRA's 2026 oversight report explicitly requires "explicit human checkpoints before execution" for agents that can act or transact. Regulatory pressure is real and has deadlines.
If your agents are in production without an approval layer, the question isn't whether you'll have an incident. According to the data, you probably already have.
Gravitee report: gravitee.io/state-of-ai-agent-security
SidClaw docs: docs.sidclaw.com
Faramesh: faramesh.dev
OpenBox: openbox.ai
Top comments (0)